Infosec from @rattis' point of view

Monthly Archives: August 2015

I don’t care what people want to do in there spare time. I don’t care about the teaser dump, I don’t care about the 9 gig dump, I don’t care about the 20 gig dump, and I don’t care about the 300 gigs that Impact Team claims to have.

However as someone who’s job it is to defend the company, a member of the Blue Team, there are responsibilities I have to the company. Instead of DMCA take down notices, Avid Life or at least the Incident Response team, should be working with any non-webmail based domain. So if a company’s domain shows up in the list, they should contact that company’s CIRT team. This allows the CIRT to defend against any possible attacks.

Now granted that the attacks the CIRTs are most likely to see are Spear Phishing and account brute force attacks. It still make sense to share the relevant information. I believe the same about the Anthem and OPM breaches. In all these cases, these have been missed opportunities.

Based on what I’ve done so far, what I’ve sat through in presentations, and what I’ve learned in school not enough of us are working together. Company CIRTs stop at the perimeter when they should probably be sharing information. I’ve seen too many in the industry saying “that’s their problem, let them find it”. Meanwhile how many times have we as an industry seen news stories saying Company X didn’t know they were breached until they were pinged by the U.S. Gov?

I know that Scott Roberts at his Bsides Columbus talk said there were Out of Band forums, and it sounded like the members were from multiple CIRTs, that some people use. But what is the usage like compared to all the CIRTs / Security Teams / Sole Admin supporting the whole company, that could use that kind of forum for help?

Should the CIRT team’s responsibility stop at the perimeter, or should all the teams out there have ways to work together through a web of trust to make attacking harder?

I’ve been in the industry a while. I learned Unix and Linux administration in the mid to late 90s. I remember the old monolithic configurations, and I’ve seen the overly complex modular configurations for things we have now.

Google Earth Forensics (needs to be read while at pc with Google Earth, hands on)

Mass Killers (need to finish)

Rise of the Warrior cop (need to finish)

The Hobbyist Guide to the RTL-SDR (Needs to be read at pc, with SDR, hands on)

Kathy Reichs short story Bones in her Pocket

Incident Response & Computer Forensics

Hacker’s Challenge 1: Incident Response

The 30th edition, illustrated Princess Bride (birthday present)

And of course, classes start soon, which means even less time to read. The novels I could probably do on books on audio with my current drive, but I’m not a fan of audio books, I zone them out, and miss too much.

Of the above list, the ones with book marks in them: Mass Killers, Blue Team Handbook, Google Earth Forensics, Rise of the Warrior Cop, and The Hobbyist’s guide to RTL-SDR. Counter Hack should be in that list, but lost my other copy, bought 2nd starting fresh.

First off, Getting an Information Job for Dummies took way to long for me to read. But that’s because of other commitments. I got the book in May, when a lot of people in the echo chamber were trashing it. I was also looking for advantages in trying to find a new job that went with my B.S. in Information Assurance and after 6 months was feeling desperate.

First, the book isn’t as good as it could have been. Second, it wasn’t as bad as people were making it out to be on Twitter. Third, the author uses too much of his own personal experience in it (something I’m guilty of with this blog). Fourth, he kept equating lock picking to crime. Which I didn’t like at all and being from Washington I thought he’d do better. They are legal there.

Last Thursday I listened to Risky Business 377. The part that really got me engaged was the section with the sponsor, RSA. They were talking about how they are working with schools to build educational SOCs.

What they were talking about though, and I’m paraphrasing from my point of view, was making Universities less theory like and more Trade school like. For example why not add a check point certification class to get students out with some experience and a certification after 3 months of class?

So for those that hadn’t heard, I started a new job about a month ago. I’m no longer doing firewall audits, secure network design, and mainframe web emulation. I was kind of sad to leave some of the projects I was working on un-finished, but that was the nature of the beast.

So now I’m working in a Security Operation Center, as a CIRT Event Analyst (or at least that was the job description they sent me after I interviewed of what the job was going to be).

The downside is I now have a 2+ hour daily commute. It should take 45 minutes or less, but well we only have 2 seasons. Winter and Road Construction. It also means I have less time to work on things I want to. Reading and projects have been affected.

I’ve also been less than healthy lately. I got really sick before Bsides Detroit. The night before the con, I was at the hospital. I also ended up missing the con because of being sick. A fever for a week, and everything spinning regardless if I was sitting standing or laying down. Turns out I had an inner ear infection. Got drugs that helped but didn’t make me better. I wended up running a fever for 3 weeks. Now I just have this annoying cough.